IT Security

Main menu

Tag Archives: Windows

It took a while to do PoC changes, port from python to ruby, port from ruby to a metasploit module, change the used library in ruby, divide into two files (a tincd protocol library and an exploit module), write ROP chains for x86 and ARM architecture, support various operating systems and make all the necessary changes to make ruby people happy. But it was really a good experience.

A friend of mine wrote a Proof of Concept exploit for the tincd server (a VPN software) for authenticated peers (post-auth), the original blog post about it can be found here. I turned the PoC crash into a weaponized exploit for Windows XP, Windows 7 and FreeBSD. I think very often the exploits on exploit-db.com do not contain a lot of information to reproduce the exploit development and a lot of “reversing” of “some hex bytes” is necessary to fully understand it. Therefore I provide several more detailed scripts in different programming languages with comments here. The vulnerability/my exploit/the software has the following characteristics:

No DEP, ASLR or other security mechanisms for the three OS. It’s the same setup file for both Windows (tinc-1.1pre6-install.exe). FreeBSD is compiled from the ports.

memcpy_chk protection introduced by gcc for Ubuntu. Seems to be non-exploitable (pretty sure it’s the same for Debian). gcc can easily do that because the buffer size is known at compile time.

Straight forward (memcpy) saved return pointer overwrite.

The second value on the stack when EIP is overwritten is a pointer to the start of our payload. Convenient.

I authored the exploiting part and changed the logic part to remove some issues. First, I wrote everything in python. Second, ported the entire thing to ruby with eventmachine. Then I decided to port the thing to metasploit and removed the eventmachine dependency. At that point I decided that improvements regarding reliability were necessary. The Metasploit module works for every of my test machines on the first try.

Ok, so everybody who just wants to see the outcome, go to my github page and download it. I also made a pull request and after some feedback it should end up in Metasploit (so maybe just check your Metasploit installation).

For everyone more interested in the “how”, the python script and the ruby script at the end of this post. The scripts are not as reliable, flexible, advanced, maintained and convenient as the Metasploit module. But they should provide everybody with enough information on how to exploit such a buffer overflow vulnerability.

Right now I’m writing the ROP chain for the exploitation on Fedora 19 (has NX enabled). Interesting and I’m already executing code, but not release ready yet. I hope I’ll be able to update the Metasploit module. There are so many other combinations that would be interesting too (ARM, x64, systems with ASLR…)

Firewall, IDS, IPS, Load Balancers, Proxies, Antivirus, MAC address filtering and no USB ports. A lot of companies are filtering the information/data that is getting into their network (and out of their network). But in the end the user wants to get information from the internet. Let’s face it: Text is information. So let’s use text to get a binary executable into the corporate network. While it’s relatively easy to convert text into binaries and back on Linux and Mac (thank you bash!), it was sometimes a pain in Windows until Powershell. As far as I know Powershell is available on all Windows 7 and newer machines.

This is not a new technique, it’s already in use, for example in the SET. I read a blogpost which explains exactly what we are doing here, I just wanted to try it myself and I changed the encoding from decimal to hex, which removes the necessity for a delimiter and makes the text data smaller in general. Additional I’ll show how to hide the information in a GIF image and how to extract it on a Powershell.

Let’s first convert our binary into text (hex encoding). So first prepare the text we want to put somewhere on the internet. Here is a small python one-liner that converts notepad.exe into the required format.

That’s already the text version you can put on a website and you can access from your company network and your company desktop machine (eg. pastebin). If you can access the notepad_hex.txt on a web server directly, it’s probably better if you use the “save as” dialogue of your browser to store it (it’s quite a long hex string). As soon as your back in your company network, save the contents to a file. Let’s assume you saved it to C:\Users\user\Desktop\notepad_hex.txt

So let’s convert the text back to an executable in our Powershell. I just adopted the code from the blogpost:

You should have notepad.exe on your Desktop now. This will also work with other file formats, for example zip files, although much slower with increasing file size.

Of course there are other methods of smuggling data into the corporate network. For example if you prefer to put the text data into a picture, you can use ImageMagick (included in the Ubuntu repositories and Mac Ports) in a shell. So for example to put the hex data into a gif comment, use the following commands (first rename an image to black.gif):

So it basically says we have to look for 0x21FE and read the number of bytes specified in the first byte. Then read again the next byte to see how many bytes we have to read and so on. Let’s do that in a Powershell:

I feel like Powershell and me could get good friends. If you want to try it yourself, save the following notepad.gif on your Desktop, change the username in the paths of the code above and copy/paste it into a Powershell.

Extracting Windows hashes for password cracking is pretty basic, right? If you try to copy the SAM and SYSTEM file from C:\WINDOWS\system32\config\ on a running Windows 2003 server you get an error message, saying that it’s already in use. So before you start using shadowcopies or ntbackup or any other tools, consider just copying C:\WINDOWS\repair\SAM and SYSTEM. Basically the same files, altough it seems that the repair folder is not always up to date.